Phishing & Social EngineeringThreat Intelligence

Chinese Spy Used Spear Phishing to Steal NASA Defense Software

Marcus Chen··7 min read
Aerospace technology and rocket engineering facility representing the defense software targeted in the spear-phishing campaign

A Four-Year Impersonation Campaign Hiding in Plain Sight

Between 2017 and 2021, a Chinese national named Song Wu ran one of the most brazen spear-phishing operations ever documented against the United States government. An engineer at the Aviation Industry Corporation of China (AVIC) — one of the world's largest state-owned aerospace and defense conglomerates — Wu created fake email accounts impersonating real U.S.-based researchers and engineers, then used those accounts to systematically request restricted software from NASA employees, military personnel, and university researchers.

The targets were not random. The software Wu sought was specialized for aerospace engineering and computational fluid dynamics — tools with direct applications in the development of advanced tactical missiles, weapons aerodynamics, and military aircraft design. This was not opportunistic cybercrime. It was a calculated, state-aligned intelligence operation conducted entirely through email.

How the Spear-Phishing Campaign Worked

Unlike mass phishing campaigns that blast thousands of generic emails, spear phishing is precise. Wu's operation demonstrated a level of patience and research that should concern every organization handling sensitive information.

Step 1: Research the Target

Wu identified specific individuals within NASA, the U.S. Air Force, the Navy, the Army, the Federal Aviation Administration, and major research universities who had access to the aerospace software he wanted. He studied their professional networks, their institutional roles, and the names of their colleagues.

Step 2: Build a Convincing Identity

Rather than sending emails from suspicious-looking addresses, Wu created email accounts that impersonated real U.S.-based researchers and engineers. The recipients believed they were corresponding with a known peer — someone whose name they recognized and whose request seemed professionally reasonable.

Step 3: Make the Ask

Once trust was established, Wu requested access to restricted or proprietary software. The requests were framed as routine academic or research collaboration — the kind of email that researchers receive regularly and fulfill without a second thought.

Step 4: Repeat and Scale

Wu ran this operation for four years across multiple targets, multiple agencies, and multiple impersonated identities. The duration itself is remarkable — it suggests that the campaign went largely undetected for an extended period, with individual victims having no reason to suspect that the same actor was targeting their colleagues at entirely different institutions.

The Red Flags That Were Eventually Caught

The NASA Office of Inspector General eventually identified several warning signs during their investigation. These red flags are instructive for any organization looking to harden itself against similar campaigns:

  • Repeated requests for identical software — the same tools were requested through different impersonated identities, creating a pattern visible only when requests were correlated across the organization.
  • Unclear justifications — when pressed for details about why the software was needed, the responses were vague or inconsistent with what a genuine researcher would say.
  • Unusual payment methods — for software that required licensing fees, the procurement channels did not match standard institutional processes.
  • Attempts to circumvent restrictions — some requests specifically tried to sidestep export controls and access limitations, a significant red flag for defense-adjacent technology.

Each of these signals is subtle in isolation. It was only when investigators connected the dots across multiple incidents that the scope of the operation became clear.

Why Spear Phishing Remains the Top Threat to High-Value Targets

Nation-state actors have access to zero-day exploits, advanced malware, and sophisticated hacking infrastructure. Yet time and again, the attack vector of choice for stealing the most sensitive information is a well-crafted email. There is a reason for that.

Spear phishing exploits the one vulnerability that no firewall can patch: human trust. When an email appears to come from a known colleague, references a legitimate project, and makes a reasonable request, the recipient's default response is to help. That instinct — collaboration, professional courtesy, trust in institutional email systems — is precisely what attackers weaponize.

The Wu case is especially instructive because the targets were not careless. NASA engineers, military researchers, and university professors are among the most educated and technically literate demographics in the world. They were not tricked by misspelled emails or obvious scams. They were tricked by context — by requests that fit seamlessly into their professional routines.

What Organizations Can Learn from This Case

The Song Wu indictment is not just a national security story. It is a blueprint for the kind of targeted social engineering that every organization with valuable intellectual property, proprietary technology, or sensitive data should prepare for. Here is what the case teaches us:

1. Verify Identity Through a Separate Channel

If someone requests access to restricted resources via email — no matter how legitimate they appear — verify their identity through a separate communication channel. A phone call, a video meeting, or a message through an established internal platform can instantly expose an impersonation attempt that email alone cannot.

2. Implement Request Correlation

One of the reasons Wu's campaign lasted four years was that individual targets had no visibility into requests being made to other teams or agencies. Organizations should log and correlate access requests for sensitive resources so that patterns — like the same software being requested through multiple channels — become visible.

3. Treat Export-Controlled and Restricted Software Differently

Access to restricted software should never be granted through an informal email exchange. Formal approval workflows, identity verification, and institutional authorization should be mandatory — regardless of how routine the request appears.

4. Train for Sophistication, Not Just Obviousness

Most phishing awareness programs train employees to spot obvious red flags: misspellings, suspicious domains, threatening language. That is necessary but insufficient. Employees who handle sensitive information need training that simulates realistic, targeted attacks — the kind where the sender's name is familiar, the request sounds reasonable, and the only red flag is a subtle inconsistency in context.

This is where security awareness platforms like empowsec provide critical value. By running spear-phishing simulations that mirror real-world tactics — impersonation, pretexting, authority exploitation — organizations can test whether their employees would catch an attack like Wu's before a real adversary tries. Employees who fall for a simulation receive immediate, targeted training on what they missed, turning each exercise into a concrete improvement in organizational resilience.

5. Cultivate a Culture of Healthy Skepticism

The most important defense is cultural. Employees should feel empowered — even encouraged — to question unexpected requests, ask for verification, and flag anything that feels slightly off. In environments where speed and helpfulness are prized above caution, social engineering thrives. The organizations that catch these attacks are the ones where pausing to verify is treated as professionalism, not paranoia.

The Legal Consequences

In September 2024, a federal grand jury indicted Song Wu on 14 counts of wire fraud and 14 counts of aggravated identity theft. If convicted, he faces up to 20 years in prison for each wire fraud count, plus a mandatory consecutive two-year sentence for identity theft. A federal arrest warrant has been issued.

Wu remains at large, believed to be in China. While the likelihood of extradition is low, the indictment sends a clear signal and provides a detailed public record of the tactics used — information that defenders everywhere can learn from.

Key Takeaways

The Song Wu case is a stark reminder that the most damaging cyberattacks often require nothing more than a convincing email. Here is what your organization should take away:

  • Spear phishing is the weapon of choice for nation-state actors — not because they lack technical sophistication, but because impersonation works.
  • High-value targets are not immune. NASA engineers and military researchers were successfully deceived. Technical expertise does not equal phishing resistance.
  • Duration is the danger. Wu operated for four years. Without cross-organizational visibility and request correlation, long-running campaigns can go undetected.
  • Verification must be out-of-band. Any request for restricted resources should be confirmed through a separate channel — never solely through email.
  • Train for realistic threats. Generic phishing awareness is not enough. Employees handling sensitive data need simulation-based training that replicates the sophistication of real adversaries.
  • Make skepticism safe. Employees must feel empowered to question, verify, and delay without professional consequences. A culture of caution is your strongest defense.

Attackers like Song Wu succeed not because their technology is superior, but because their understanding of human behavior is. The only reliable countermeasure is an organization where every employee understands that trust must be verified — every time, without exception.

Tags: #social engineering #email security #spear phishing #nation-state attacks #aerospace #insider threats
Share:

Related Articles